At an Aug. 1 press conference, prosecutors alleged FIN7 stole 15 million payment cards from more than 150 companies in the U.S. and abroad. Security experts, meanwhile, as of 2015 had already tied the gang's activities to more than $1 billion in fraud.

One of FIN7's primary targets has been businesses that gather payment card data. "FIN7 most commonly focused on fast-food and casual dining restaurants, hotels, casinos and businesses with a high frequency of point-of-sale transactions," the U.S. Department of Justice says.

That's no surprise, because stolen payment card data can be sold on underground marketplaces, giving attackers a quick way to monetize their hack attacks.

Popular Target: Catering and Group Bookings

Law enforcement officials alllege that the FIN7 gang would make telephone calls to individuals handling catering or group bookings inside businesses in an attempt to trick them into opening malicious emails that would unleash malware in the employee's network and potentially give attackers remote access. Sometimes, the emails carried a version of Carbanak malware, which is designed to steal access credentials as well as take screenshots of a victim's PC screen, prosecutors say.

"If you look at the detail in these emails, they [FIN7] did a lot of work to decide who to target, how to target, and they sent the email, they followed with a phone call, they knew quite a bit about the company, because most companies have public-facing websites, where you can figure out who the head of catering is," as well as find their email address, FBI Special Agent in Charge Jay S. Tabb Jr. of the FBI's Seattle field office, said at the press conference.

"Because legitimate businesses need to get business" - and for businesses that offer catering, some of those communications are sure to be handled by emailing the catering department - "it's probably not uncommon to have a Word document attached that says 'catering request,'" Tabb said.

Samples of phishing emails sent by FIN7 (Source: U.S. Department of Justice)

"It's hard to defend against this; it's part of why we want to talk about how it happens so that folks really understand what they're looking for," said Annette L. Hayes, U.S. attorney for the Western District of Washington.

But no one is immune to being tricked. Numerous studies have found that even highly technical users occasionally fall for phishing attacks. False positives can also be a problem. In those cases, users discard legitimate emails because they suspect that they're fake.

Reality: Salespeople Need to Sell

Gary Warner of the University of Alabama at Birmingham

Whatever rules a business sets for handling an attachment, it's unlikely that someone whose job is in sales, for example, is going to refrain from opening an email about a potential sales opportunity, provided the email it looks good enough to be real.

"Imagine that your job is booking hotel rooms for group travel, or handling large catering deliveries for business meetings from your restaurant," says Gary Warner, director of research in computer science at the University of Alabama at Birmingham, in a blog post. "A new potential customer calls and says: 'I'd like to book 40 hotel rooms for our sports team that is coming to play in a tournament in your town next month. What email should I send the details to?'"

Or someone says they want to place a big lunch order and would prefer to email the details through. "What sales person is not going to open that attachment?" Warner asks. "Right: Every single one will do so." And that's exactly how FIN7 allegedly operated.

Source: Justice Department

Two-Factor Authentication

As a result, telling employees to beware of fake emails is an incomplete strategy.

Many security experts recommend organizations take another step, requiring employees to use some type of two-factor authentication to access their email and other business-critical systems. That way, attackers may have a tougher time stealing and reusing authentication credentials (see Reddit Says Attackers Bypassed SMS-Based Authentication).

Plenty of scammers have also infiltrated legitimate email accounts and used their contact lists to distribute social engineering attacks to the victim's friends. One example: the "stranded traveler" scam, in which a friend apparently needs money immediately to pay a hotel bill after being robbed of their smartphone and passport while vacationing abroad. These phishing emails get sent from what appears to be a trusted account.

Quarantine Attachments in the Cloud

Maciej Cegłowski, who administers social bookmarking site Pinboard, says a good phishing defense for many organizations might be to always open attachments in the cloud from a device that doesn't run a desktop operating system.

"Talking about attachments is like abstinence education. 'Never open attachments' is correct but untenable advice. ... The safest way to view email is likely on an iPhone, iPad or Chromebook with attachments opening in GDrive," Cegłowski says via Twitter. "If you save [an] attachment to your laptop and upload it to GDrive, take care to delete the local file, or two weeks later you'll wonder 'what was this?' and double-click it."

Don't consider an attachment safe because it came from a trusted party. When they come for your account, it will be in the guise of an attachment or phishing link from someone you know well, and that you've opened dozens of times in the past.

But Warner says that while such a strategy might be viable for smaller organizations - especially newer ones without "a legacy of complex Word and Excel docs" - it likely wouldn't fly for larger businesses, or be foolproof.

"While Google does an excellent job, every company I've worked with has had some emails 'get through,'" he says. "Would moving to Google Docs help stop some of those malicious docs from triggering? Definitely. But are most corporate environments be ready to abandon Microsoft Office? I really don't think so."

Regardless of technology, Warner says that rather than just educating users, "activating" employees to serve as part of an organization's phishing defense is key. "Making sure employees know how and have the tools to handle those suspicious emails is a key to success," he says. So too is ensuring that the security team follows them up.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.